Last Comment Bug 66606 - Would like Signtool to use OCSP and/or check CRLs during verification
: Would like Signtool to use OCSP and/or check CRLs during verification
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: unspecified
: Sun Solaris
: P2 enhancement (vote)
: 3.6
Assigned To: Kirk Erickson
: Bishakha Banerjee
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-25 18:00 PST by Arshad Noor
Modified: 2002-06-13 10:06 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Proposed patch (3.31 KB, patch)
2002-06-10 16:02 PDT, Kirk Erickson
julien.pierre: review+
Details | Diff | Splinter Review

Description Arshad Noor 2001-01-25 18:00:58 PST
We would like to have signtool use the Online Certificate Status Protocol
(OCSP) and CRL checking, when verifying signatures on a signed object.

If the certificate that corresponds to the signing key, has a CRL Distribution
Point in it, it should attempt to load the CRL defined in the CRLDP's URI and
check it for a revoked certificate.

If the certificate that corresponds to the signing key, has an Authority Info
Access extension in it, signtool should attempt to use the OCSP protocol to
make a request to the URI in the AIA extension to validate the certificate.

These two features will make signtool more robust and reliable, since it will
allow customers to verify, in "real-time" that the certificate that signed
the objects has not been revoked.

Note: If you'd like, Sun can help by providing an entire testing infrastructure
for these enhancements.  SunPKI (http://www.sun.com/pki) has established an
infrastructure that publishes CRLs, and supports an OCSP server that is
accessible over the Internet.  Thanks.
Comment 1 Keyser Sose 2001-01-28 14:39:34 PST
Marking NEW.
Comment 2 Ian McGreer 2001-01-29 08:27:09 PST
marking signtool bugs as future until 3.3 plan is ready.
Comment 3 Wan-Teh Chang 2001-02-27 15:54:45 PST
Set Target Milestone to NSS 3.3.  Assigned the RFE to
Bob for evaluation.
Comment 4 Robert Relyea 2001-11-28 17:15:14 PST
Wan-Teh, This should be relatively easy (assuming CRL's and OCSP are working;),
but it's not a critical function for NSS 3.4, so I'm likely to prioritize this
low. (This would be a good candidate for someone else to pick up if we want it
in 3.4).

NOTE: half of this should already be done. CRL's should be working with
Signtools. OCSP only requires an option to turn it on.

bob
Comment 5 Wan-Teh Chang 2001-11-29 17:29:43 PST
Assigned the bug to Kirk.

I don't think this needs to be done in 3.4.  It would
be a good idea to talk to the bug reporter about the
time frame.
Comment 6 Wan-Teh Chang 2002-04-25 16:34:48 PDT
Changed the QA contact to Bishakha.
Comment 7 Wan-Teh Chang 2002-05-08 17:07:04 PDT
Set target milestone to NSS 3.5.
Comment 8 Kirk Erickson 2002-05-23 16:17:59 PDT
Reviewed this bug with Julien..  We need to make signtool call
CERT_EnableOCSPChecking (handle);

Using a cert with the OCSP extension we should then hit:
ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)

Stumbled across this typo:
kirke@iws-perf[51] rgrep OSCP
./mozilla/security/nss/cmd/certutil/certutil.c:1497:    fprintf(stdout, "%-25s 5
- OSCP Responder\n", "");

Should be OCSP (Online Certificate Status Protocol).
Emailed Julien, thinking he might still be touching certutil.c.

Comment 9 Kirk Erickson 2002-06-10 16:02:04 PDT
Created attachment 87149 [details] [diff] [review]
Proposed patch

Adds -O argument to signtool command line, which enables
OCSP checking by calling CERT_EnableOCSPChecking().
Comment 10 Kirk Erickson 2002-06-10 16:08:06 PDT
Julien,

I've added you to the cc-list for this bug because its
your routine that needs calling.
Could you review the patch I've attached?

Thanks,
kirk
Comment 11 Julien Pierre 2002-06-10 16:27:28 PDT
Comment on attachment 87149 [details] [diff] [review]
Proposed patch

looks good
Comment 12 Kirk Erickson 2002-06-11 09:41:39 PDT
Checked in patch to add -O (enable OCSP checking),
and closed.
Comment 13 Wan-Teh Chang 2002-06-11 13:32:16 PDT
Comment on attachment 87149 [details] [diff] [review]
Proposed patch

Kirk,

Thanks for coming up with the patch.  Some comments.

1. In this block of code, the indentation of the body of
the inner if statement is wrong:

>+	if (enableOCSP) {
>+		SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
>+		if (rv != SECSuccess) {
>+	        PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n");
>+	        errorCount++;
>+	        retval = -1;
>+		}
> 	}

2. In the original description of this RFE, the reporter asks
that OCSP be used if the certificate that corresponds to the
signing key has an Authority Info Access extension in it.  In
your patch, the use of OCSP is controlled by the -O option.
This is not exactly what the original RFE asks for.

3. Your patch does not check CRLs so we might want to edit
the bug's summary to reflect what actually got implemented.
Comment 14 Julien Pierre 2002-06-11 15:10:10 PDT
Wan-Teh,

I would say that it is preferable to keep OCSP an option, because some people
may be running signtool offline, or in a non-Internet network where they won't
be able to reach OCSP responders for checking. So it should not be enabled by
default.

As far as CRLs, they should already be checked automatically if they are
installed in the cert DB, but the CRL distribution point is not handled yet.

See bugs http://bugzilla.mozilla.org/show_bug.cgi?id=133191
Comment 15 Wan-Teh Chang 2002-06-11 15:37:12 PDT
Please ignore my comments 2 and 3 in comment #13.  Kirk and
Julien have both responded to my questions.  Thanks.

Kirk, you just need to fix the indentation of that if statement.
Comment 16 Kirk Erickson 2002-06-13 10:06:38 PDT
I fixed the indentation shortly after seeing comment #15.

Note You need to log in before you can comment on or make changes to this bug.